Thursday, September 30, 2010

Why won't the US or China (or even Russia) admit we're engaged in cyberwar? I have a theory based on historical precedent, involving all three countries: the Korean War. Since my time in the Air Force I knew that US pilots had directly engaged Russian pilots in the skies over Korea in the 1950s. This was an "open secret." Recently I watched the NOVA episode Missing in MiG Alley, which confirmed this fact:

NARRATOR: For 40 years, Russia's role in Korea remained a secret. Now, one of the Soviets' top aces, Sergei Kramarenko, can finally talk about his exploits in MiG Alley.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: It was a secret mission, neither before nor after the war were we allowed to reveal that we were going to fly for the North Koreans...against the Americans. It was top secret.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: We were told that in case we were shot down beyond the front line we had to kill ourselves. Not to surrender was in the interests of the State.

SERGEI KRAMARENKO: (Russian dialogue)

INTERPRETER: Of keeping the military secret.

NARRATOR: If word got out of their involvement, the Russians feared the Korean conflict might trigger World War Three. But then, this was not a secret easily kept...

NARRATOR: And yet, while the pilots knew who they were up against, the American public did not. Both sides, Western and Communist, kept the secret.

Colonel Orlov was a Soviet intelligence officer in North Korea.

COLONEL ORLOV: (Russian dialogue)

INTERPRETER: It was kept from the American public in case they demanded action against the Soviet Union. By this time Russia had atomic bomb and neither Washington nor Moscow wanted to risk full-scale nuclear war.

The comparison with our current situation is clear: neither side has an incentive to talk about cyberwar, because it could incite both sides to clamor for escalation.

In a related issue, both sides have no incentive to admit that while their offense is very effective, their defense is horrible.Tweet

Tehran this week secretly appealed to a number of computer security experts in West and East Europe with offers of handsome fees for consultations on ways to exorcize the Stuxnet worm spreading havoc through the computer networks and administrative software of its most important industrial complexes and military command centers...

The impression debkafile sources gained Wednesday, Sept. 29 from talking to European computer experts approached for aid was that the Iranians are getting desperate. Not only have their own attempts to defeat the invading worm failed, but they made matters worse: The malworm became more aggressive and returned to the attack on parts of the systems damaged in the initial attack.

One expert said: "The Iranians have been forced to realize that they would be better off not 'irritating' the invader because it hits back with a bigger punch..."

As it is, the Iranian officials who turned outside for help were described by another of the experts they approached as alarmed and frustrated. It has dawned on them that the trouble cannot be waved away overnight but is around for the long haul. Finding a credible specialist with the magic code for ridding them of the cyber enemy could take several months. After their own attempts to defeat Stuxnet backfired, all the Iranians can do now is to sit back and hope for the best, helpless to predict the worm's next target and which other of their strategic industries will go down or be robbed of its secrets next.

It seems some emotions concerning cyberwar cross all sorts of boundaries!

In order to understand the Russian view in a wider context, a comparison has been made with Russia’s most important competitors – the USA and China – and their approach to information operations...

All three countries agree on the important role information has in today’s conflicts. Over time its importance will grow. The USA has influenced the mindsets of the others, especially regarding ideas about information superiority and information dominance, as well as command and control warfare. Information adds a new dimension to warfare and IW weapons could be used offensively and defensively to protect a country’s own information resources and systems.

Russia and China take a broader view of the essence of information warfare than the USA in the sense that in their approach covers both peacetime and wartime situations, while the US definition is more narrow and related to times of crisis or conflict.

The Chinese view is based on four parameters: pre-emptive strike capability, asymmetric warfare (inferior versus superior), high-tech local war and people’s war. In some documents the term ‘unlimited warfare’ has been mentioned as being a core part of a Chinese view of IW, but the term is disputed by several analysts.

The Chinese concept originates from Sun Tzu’s 36 stratagems, described in his Art of War from 500 BC. One of the most important key factors in the Chinese concept is deception.

The [Chinese] IW perspective covers a long period of time and is not limited to a specific moment, period or conflict. Chinese experts criticize the US doctrine for being much too technology-driven and for not considering the strategic dimension sufficiently.

Moreover it [American doctrine] is too focused on the information and information system of the opponent and does not consider the softer, psychological factors. In the Chinese conceptual framework, cognitive elements are added, such as the opponent’s will and capability to fight. It has a clear political dimension. According to Sun Tzu:

‘To win the war without the fight is the greatest victory’.

In the Chinese approach IO is a component of IW, contrary to the US view. For American experts IO is a way to fight while the Chinese think that IW is the fight itself and is ongoing on many different levels and dimensions over the years.

The Russian view is more closely related to the Chinese where the information-psychological impact of IW is concerned, as well as in the idea that IW is conducted in both peacetime, in the prelude to a conflict, and in wartime and more or less constantly; and on the strategic level as well as the operational and tactical.

I couldn't agree more with this. Here's the Cliff Notes summary:

US cyberwar doctrine is too narrow, focused on technology and on information itself, ignoring the will of the population, and confined to "crisis or conflict" over short periods of time. Americans also think cyberwar is a "way to fight."

Russian and especially Chinese cyberwar doctrine is more expansive, including the will of the population, and is constant and enduring, happening during what others call "peacetime." The Chinese especially think cyberwar is "the fight itself."

This is why I believe the US is fighting a cyberwar now. The Russians and Chinese would agree with me, but other Americans probably don't.Tweet

2. Enable ubiquitous security services for end-to-end network communications that will serve as the foundation for securing future Federal IT systems;

I find the first point laughable. Anyone who has even obliquely worked with IPv6 knows that adopting the protocol will massively increase complexity, whether IPv6 is used natively or especially if it's used in a conjunction with IPv4. Take a few minutes to look at all the extra addresses an IPv6-enabled system provides to see what I mean. Complexity and unfamiliarity with configuring IPv6 will introduce exposures that intruders will exploit. IPv6 stacks are likely to possess vulnerabilities that intruders will also attack. Finally, did you know that many networks will keep NAT even with IPv6? The "abolish NAT" argument is just false.

The second point represents what I think is a a fundamental misunderstanding concerning IPv6. I've written about this before too, but the point is simple: IPv6 is not inherently more secure than IPv4. You can introduce the same level of "security" in IPv4 as you can with IPv6. In fact, IPv6 is in many ways less secure than IPv4; check out all the auto-configuration protocols included with IPv6. Anyone who thinks making "IPSec mandatory in IPv6" means IPSec must be enabled isn't paying attention. "IPSec mandatory in IPv6" means IPv6 must offer IPSec, not that it be enabled [RMB: fixed error, thank you!]. Since you can run IPv4 with IPSec now, there's no advantage to IPv6 in this regard.

I'd also like to comment on the two major directives in the memo:

In order to facilitate timely and effective IPv6 adoption, agencies shall:

2. Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014;

There's also a footnote for the first point:

To ensure interoperability, it is expected that agencies will also continue running IPv4 into the foreseeable future.

I think the first point means Federal servers will offer IPv4 and IPv6 services. I think they mean dual-stack will be allowed. I think the "native" comment means that Federal servers are not allowed to run only IPv4 but be accessible via an IPv6 gateway.

The second point is probably similar, meaning clients will have IPv6 addresses and speak directly to other IPv6 hosts without requiring gateways. That is going to be a security nightmare since the goal of IPv6 is to restore "end to end connectivity," which is inherently at odds with security.

Saturday, September 25, 2010

The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.

The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”

It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable.

I'd like to share five reason why I think this approach will fail.

"dot-secure" becomes new target number one. I can't think of an easier way to help an adversary target the most critical information and capabilities on industry computers. If you're going to attack a company with hundreds of thousands of users and computers, it can be tough to decide where to focus attention. Multiply that target set across dozens or hundreds of companies and the adversary's problems also multiply. Now, suppose those companies put their most sensitive, important data on "dot-secure." Now all the adversary has to do is penetrate that network and take everything.

"Separation" is a fool's goal. Didn't we just read about Operation Buckshot Yankee, where malware jumped between networks of different classification levels? I guarantee users will want and need to transfer information between their normal company Internet-connected computers and "dot-secure." As long as those vectors exist, there is no "separation."

The network will be too big to keep "secure." Organizations build networks because there is value in exchanging information. In fact, the larger the network, the more valuable it becomes. So, what organizations will be allowed to connect to "dot-secure"? It will surely be more than the small handful that have a prayer of successfully defending themselves from APT and similar threats. That means weaker organizations will participate, and they will be compromised. As the network grows, it will get weaker and weaker.

How can "dot-secure" be any more successful than SIPRNet? I don't expect "dot-secure" to be as well-protected as SIPRNet. (And calling SIPRNet "well-protected" is probably causing some people to laugh.) Trying to get a SIPRNet terminal deployed is very expensive, and I don't expect DoD to make the same demands upon organizations as those required to host SIPRNet terminals. Many people consider SIPRNet compromised (I'm repeating public rumors, not confirming -- I have no direct knowledge), so why would "dot-secure" be any more successful?

"dot-secure" is another technical "solution" to a non-technical problem. I am dismayed to see DoD, of all places, taking a vulnerability-centric approach to an inherently threat-centric problem. It's clear that DoD is much more proficient in offense and that the "defense" part of the Department's name is increasingly misplaced. (I prefer the original "Department of War" anyway. Let's not fool ourselves!) How many hundreds of millions, or billions of dollars of taxpayer money could be wasted on "dot-secure," only to see DoD report to the Secretary or the President in 5 or 8 years that the network is also thoroughly compromised. Oops!

I think it would be far cheaper, and more effective, to engage the diplomatic and economic instruments of power to convince threats that they should keep their military and state hands out of American private enterprise.

Tuesday, September 21, 2010

With all the activity concerning Stuxnet, I've been thinking about "cyber weapons." You might recognize the image at left as coming from the venerable rootkit.com site operated by Greg Hoglund since 1999 (for real -- check out archive.org!) When Greg started that site I remember a lot of people complaining about cyber weapons and putting offensive tools in the wrong hands. Now with tools like Metasploit and Ronin, people are bound to worry about the same issues. It would be terrible to see valuable tools get painted with the same "ban the guns" prescriptions I expect to hear when Stuxnet becomes more popular in the media.

So, in this post I'd like to share a few thoughts on differentiating security tools from cyber weapons (CWs). These are just my thoughts so I'd be interested in feedback. Some of them may be controversial and I could probably argue the opposite case for some of the items.

Operators develop CWs privately. I don't think a tool you can download from a public Web site qualifies as a true CW. Yes, you can use tools like Metasploit offensively, but a good deal of the value of a real CW comes from the "whoa" factor. (See the next point.) You can't preserve the "whoa" factor after publishing code on the Web.

CWs tend to be innovative. Innovation means incorporating 0-day attacks (researched by the developers), new command-and-control methods, or other measures. Real CWs take victims by surprise, especially if they target multiple aspects of the kill chain.

CWs tend to have specific effects. Think of Stuxnet and it's programming to alter specific values in PLCs. These are actions designed to damage a target, not provide generic remote control access so intruders can open someone's CD player.

CW value degrades quickly. I believe a real CW is much less valuable after being used, often due to the points listed earlier. It's easier to disable a radar the first time than it is the second or third times. As soon as an aggressor uses a CW on a victim, the victim will try to be better prepared for later attacks and may be able to recognize or even thwart them entirely. Contrast that with a tool designed to help validate defenses or conduct audits.

Intent matters. The intent behind a CW is to enable the agenda of a nation state or other high-end structured threat, not simply to demonstrate a new technique, or be the best penetration tool, or compromise the most victims, or help administrators validate defensive measures. I don't think HD Moore (who wrote a great pitch on cyber weaponry) intends for Metasploit to be used by governments to harm each other or their citizens. Ask someone who develops real CWs for a living why they wrote CW X and they will likely say "because I was under contract to deliver X by date Y for customer Z."

I hope we can be clever enough to separate real CWs like Stuxnet from tools that serve a useful security function like Metasploit, because actions to try to outlaw all offensive tools would be devastating for defenders everywhere.Tweet

I will be speaking at two events organized by TechTarget, for whom I used to write my Snort Report and Traffic Talk articles. The one-day events will be held in Seattle, WA on 28 Sep 10 and in New York on 16 Nov 10. Currently the Emerging Threats site shows details for the Seattle event, where I will discuss What Is Advanced Persistent Threat, and What Can You Do About It?

On a related note, Robert RSnake Hansen will offer two sessions in Seattle. I want to talk to him about ending his blog -- 12 posts left as of today!

Sunday, September 12, 2010

I enjoy reading InformationWeek because it gives me a chance to keep in touch with broader IT trends, and the content is usually solid. The cover story for last week's issue was End Users: Ignore Them At Your Peril (sorry about the odd link; the original is here but requires registration). I started reading the article by Michael Healey of Yeoman Technology Group, but quickly realized Mr Healey is clearly out of touch with the reality of the modern security environment. He writes:

Too many IT teams think of security as their trump card to stop any discussion of emerging tech deemed too risky...

Are we really less secure than we were 10 years ago? Probably not. Much like watching cable news will make you think the world is burning and people are coming to snatch your kids, today's level of security awareness has altered the psyche of IT.

This new awareness is coupled with very real regulatory requirements, such as new Massachusetts privacy laws that require tougher disclosure when there's a security breach or problem.

It's no wonder the security folks are so jumpy. But they're missing the message that CIOs need to hear: Security is working. It's been more than a decade (yes, 10 years) since any particular security flaw has had a truly widespread impact. The Melissa and the ILoveYou attacks were the last.

We're not proposing you drop your guard. Security is a good reason to stop a project that's too risky. But if you've built an effective IT security model that combines base protection, active monitoring, and proactive management, and you stay tied into the overall industry, your chances of a major failure are slim.

Congratulate your security team for once and see if they can start moving out of their foxholes and figure out how to add some new devices and capabilities.

Feel free to stop laughing now, if you can. Clearly the last time Mr Healey paid attention to anything involving security was a decade ago, if all he can cite are "Melissa and the ILoveYou attacks." It sounds like he's the one in the foxhole, supposedly safe while the world around him continues to be in turmoil.

There's so many ways to refute his point of view, but let me close with a really simple idea. Security is simultaneously global and local. Failures can occur at either level. Many organizations care more about the local than the global because local failures are more likely to impact them directly. They tend to care about the global only when it affects the local. In other words, even if no global security failure takes place (like a worm affecting the whole Internet), local security issues will still occupy a lot of security time and resources. The inability to point to a global failure (even correcting for ignorance) says nothing about local security problems.

Thursday, September 09, 2010

Many TaoSecurity Blog readers are undoubtedly familiar with NetWitness. Several weeks ago I met with their CEO and CTO to discuss their products and services. They were kind enough to later provide me with a device that they ship to their engineers to provide testing and experimentation with their product. Here I call it a "Minidecoder," but you can think of it as "NetWitness in an EeeBox PC" (specifically the EeeBox PC EB1012).

As you can see in the diagram, it only has one onboard NIC, and that is used for management. To access traffic, NetWitness provided a Trendnet TU2-ET100 USB to 10/100Mbps Adapter. To try the Minidecoder, I paired it with the DualComm device mentioned in my last post. I basically tapped the Minidecoder's own management port and then generated some basic traffic from the Minidecoder's Linux shell. The sensor also saw its own management traffic, as well as broadcast traffic passed by the wireless bridge to which it was connected.

Setup was pretty painless. I booted the Minidecoder, logged into the Linux OS, connected the network cables, and configured the management port.

To administer the device and access the data, I installed the NetWitness Administrator and Investigator applications on a Windows XP SP3 laptop.

In the screen capture at left, you see part of the Administrator interface. It was easy to add and connect the Minidecoder after I obtained a license from NetWitness. I didn't need to run anything on Windows with Administrator privileges, other than the installation process.

I'm not a big fan of dashboards, but I wouldn't expect to spend much time in this view anyway. The action is in Investigator, which I also installed.

As you can see in the figure at right, NetWitness breaks down the traffic using a variety of means. I'm only showing what would fit on the screen.

One of my favorite aspects of the NetWitness metadata approach is the way it extracts meaningful content automatically, like the system names from within DHCP traffic (independent of DNS names, for example). This is why I've added metadata as the seventh form of NSM data (after full content, session, statistical, alert, transaction, and extracted content). NetWitness is good at depicting "data about data," i.e., details about traffic, derived from the traffic.

I also like the way NetWitness classifies a variety of traffic into "Action Events" like "Get". Here I will select the sessions associated with the Get Action Event to produce the screen shot that follows.

In this screen capture you can see sessions which NetWitness classified as Get events. I chose part of a Lynx session where I browsed to www.bejtlich.net. The large sessions with the "Click to Create" boxes are sessions where I retrieved packages for installing Lynx on the Linux OS of the Minidecoder itself. (Remember this traffic is to and from the Minidecoder, just for the sake of the test.)

I think this is a cool way to get more familiar with NetWitness in a low-impact way. I wouldn't try to stress test this device since neither the hardware nor the NICs are intended for intense use. Rather, you could deploy a device like this in your environment to get a better idea of how NetWitness would process your environment's traffic, or at least a subset of it, if you had to throttle what was sent to the sensor.

Feel free to contact NetWitness for more information, and thanks to Amit and Tim for the demo gear!

John He from DualComm Technology was kind enough to send me one of his company's port-mirroring switches, namely the DCGS-2005 pictured with its box at left.

In the figure, I have port 1 going to a computer I want to monitor. Port 2 is going to the uplink (or access switch) for that computer. Port 5 (at the far right) is going to a sensor.

The idea behind this device is to provide a plug-and-play alternative to network taps. I thought this system was interesting because it acts somewhat like a port aggregating tap, in the sense that two ports are used for accessing the network but only one port is needed by the sensor.

Note that only port 1 is mirrored to port 5. (The manual confirms this, and I did some limited testing. The words on the tap imply ports 1 - 4 are all mirrored.) This is a one-for-one copy. If you connect to ports 2 and 3, 2 and 4, or 3 and 4, you will not see any unicast traffic on port 5.

This device is also different in that in requires a USB connection for power.

Probably the biggest advantages of this device include low cost and simple use. I think the single USB power connection is the biggest disadvantage. I'd also like to know more about the software on the switch itself.

Thanks again to John for sending me this device. Check out DualComm for more information!

I've got a book for the Korean cyber armies, North and South. That's right, it's my first book, The Tao of Network Security Monitoring, now published in Korean! Apparently my publisher just decided to translate and deliver this new edition to Korea. Can anyone who reads Korean comment on how they translated my name?

I've known for a while there is also a Spanish edition, but I've never seen it. I asked to see one of those too.

I have to admit that seeing these foreign language editions motivate me to try to write another solo book. However, I'm just not sure how I would find the time.

Tuesday, September 07, 2010

Some of you may remember my "X vs China" series of posts of 2007, where I discussed multiple high profile cases where various nations noted their disapproval of China's exploitation of their networks. (That's right, 2007 -- three years before the January festivities.) This morning I read Hostile nations trying to steal India's defence secrets, by Rajit Pandit of India's Economic Times. He writes:

Even as Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems, hostile intelligence agencies are also trying to steal defence secrets through use of computer storage media (CSM) devices like pen drives, removable hard disks, CDs, VCDs and the like.

The Intelligence Bureau has sounded a red alert about "intelligence officers of a hostile country'' encouraging their "assets'' working in Indian defence establishments to use CSM devices to pilfer classified information from computer networks...

This comes even as the Army is conducting a court of inquiry against a major posted in the strategically-located Andaman and Nicobar Command, who had stored over 2,000 classified and sensitive documents on his personal computer which was "hacked'' from Pakistan earlier this year...

With cyber-warfare being a top military priority for China, its online espionage agents frequently break into sensitive Indian computer networks.

This story is interesting for two reasons. First, it cites an Indian example of the the risks of personnel with access to classified documents and storage media, similar to the Manning and Wikileaks cases. Second, like the recent Economist magazine discussing the relationship between China and India, it reminds me that China is not just targeting established powers. China is also targeting other rising powers. It would be interesting to research Russia v China or Brazil v China scenarios. Maybe Jeff Carr will post something? (hint)

Sunday, September 05, 2010

I thought this brief question-and-answer session, Richard Clarke: Preparing For A Future Cyberwar by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them. I'd like to publish the whole article, but instead I'll highlight my favorite sections:

Nash: How can the federal government protect companies?

Clarke: Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.

Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.

Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations.

Also:

Clarke: Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special...

Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.

Finally:

Clarke: It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on...

[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace.

I agree with all of these sentiments.

Incidentally I started read the library copy of Cyber War but decided I needed to take notes in the margins. So, I bought a copy from Amazon.com. I plan to finish it and review it by the end of the month.

Deputy Defense Secretary Lynn's article (covered by the first Post story) is significant, perhaps for reasons that aren't obvious. First, when I wore the uniform, the fact that a classified system suffered a compromise was itself classified. To this day I cannot say if a classified system I used ever suffered a compromise of any kind. Readers might be kind enough to say if this policy is still in effect today. So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal.

Second, Lynn said "this previously classified incident was the most significant breach of U.S. military computers ever." That is significant. It sets a bar against which other incidents can be measured. Why was it so bad?

Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.

That's serious, and specific.

Third, after citing Google's January admission, Lynn says:

Although the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyberthreat that the United States will face over the long term.

Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.

As military strength ultimately depends on economic vitality, sustained intellectual property losses could erode both the United States' military effectiveness and its competitiveness in the global economy.

I interpret this as saying cyberwar is hurting the US specifically because non-military targets are being hit, repeatedly and persistently.

Finally, I'd like to provide a counterpoint regarding the second Post article. Other pundits are calling DoD's potential offensive strategy "beyond stupid." I'd like to know what's stupid: more of the same failed vulnerability-centric policies and approaches of the last, what, 10, 15, 20 years, or taking a threat-centric approach to apply pressure on the adversary? I also wrote about this in 2007, like some other pundits. In the three years since, playing defense hasn't helped much. Expect more on offensive options in the coming years, in all sectors -- not just the military.

I reviewed the first edition of Hacking Exposed: Wireless (HEW) in May 2007, and offered four stars. Three years later I can confidently say that Hacking Exposed: Wireless, 2nd Ed (HEW2) is a solid five star book. After reading my 2007 review, I believe the authors took my suggestions seriously, and those of other reviewers, and produced HEW2, the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you.

I forgot to mention in my review that this new edition appears to be a substantial rewrite, not a minor editing of old chapters! I didn't do a chapter-by-chapter comparison. I did read the whole book, which the publisher provided as a review copy.